Compliance Question of the Week 2019

Question

 

       Answer

Does Fannie Mae require us to review the work of our Quality Control vendor?

Yes, Fannie Mae requires a mortgage lender’s Quality Control Plan to include processes for reviewing the third party QC vendor’s work to ensure that the lender’s requirements and guidelines are applied consistently and that the review results accurately reflect the quality of the lender’s loan originations. The review must be performed at least monthly on a minimum of 10% of the post-closing QC sample reviewed by the vendor to validate the accuracy and completeness of the vendor’s work. The 10% sample must include loans for which the vendor identified defects and for which no defects were identified. Further, this review must be performed by the lender itself and cannot be contracted out. 

In a previous FNMA Selling Guide update with an effective date of January 1, 2020,Fannie Mae added provisions requiring a lender’s monthly QC reports to include final results of the 10% QC vendor review. The reports must be completed within 30 days following the publication of the vendor’s final QC management report.  

Although Fannie Mae does not specify an exact format, the reports must be useful to management in evaluating and monitoring the quality of the outsourced QC service provider. The reports, at a minimum, must include: 

     • a description of the sample selected for review,
     • concurrence rates, and
     • discrepancies identified by the lender. 

The management reports must focus on inaccuracies uncovered in the current month’s review, as well as broad trends revealed by the vendor QC review process, identifying specific corrective action that is needed. 

How will the December 28th, 2019 effective date of the Taxpayer First Act affect me as a lender or servicer?

The Taxpayer First Act was signed into law on July 1, 2019 and goes into effect on December 28, 2019. It requires taxpayers to provide consent for the express purpose for which their tax return information will be used. Additionally, taxpayers must provide their express permission for their tax return information to be shared with any other party. “Tax return information” is defined under the IRS Code, 26 U.S.C. § 6103

Therefore, if a lender or servicer obtains tax return information during the origination or servicing of a mortgage loan, the lender or servicer must obtain express consent from the taxpayer prior to sharing the tax return information with another party. Such sharing would extend to actual or potential owners of the loan, such as Fannie Mae or any other loan participant. 

The IRS has indicated that it has no plans at this time to provide a standard form related to disclosing or sharing tax return information with other parties. However, the Mortgage Industry Standards Maintenance Organization (MISMO®) drafted a sample Taxpayer Consent Form designed to allow sellers/servicers to share tax return information with other loan participants. (available to MISMO members). Many document providers have also prepared a consent which will be added to the early disclosures. Sellers/servicers may also prepare their own taxpayer consent form, as long as the form provides the purpose for which the tax return information will be used and provides the seller/servicer with express permission to share tax return information in accordance with the law. 

I read something recently about updates to Georgia’s background check requirements for lenders licensed in Georgia. What’s changed?

Georgia (GA) recently updated its requirements with regard to pre-hire employment background checks to add a requirement to check the NMLS Consumer Access, in addition to the GA Department of Banking and Finance’s (Department) website for public records related to the prospective hire. All employee files (not just employees working in GA or on GA loan files) must contain proof that both of these searches were run prior to hire in the form of a screen shot or print out. 

Any licensee that fails to examine the Department’s website and NMLS Consumer Access prior to employment in order to confirm employment eligibility may be subject to a fine of $1,000 for each violation. 

For the Department search, a mortgage company should visit https://dbf.georgia.gov/mortgage-information-and-searches and click on “Mortgage Administrative Actions” to run the search. 

Separately, there is an additional Georgia-specific search that must be run on “covered employees.” Covered employees include those employees who physically work in the state of Georgia and who may enter, delete, or verify any information on any mortgage loan application form or document. For these individuals, Georgia requires background checks be run through the Georgia Crime Information Center (GCIC). Please see https://dbf.georgia.gov/sites/dbf.georgia.gov/files/related_files/document/GA-Employee-Background-Checks.pdf for more information. 

It is also important to note that Georgia maintains a strict prohibition against employing any individual with a felony. GA imposes this prohibition without time restrictions and extends it to all employees, whether or not the employee is located in GA or works on GA loans. Failure to abide by this restriction may result in suspension or revocation of a mortgage company’s GA lender license. 

Is it compliant for a mortgage lender to permit a mortgage broker to select the appraisal management company (“AMC”) from which to order an appraisal if the lender provides the broker with a list of authorized AMCs?

No. This process provides the broker with an element of responsibility for selecting and/or retaining the appraiser, and is, therefore, not compliant with the Appraiser Independence Requirements (“AIR”). Fannie Mae has recently been citing Seller/Servicers in relation to this issue. It does not matter if the lender is responsible for the relationship with the AMC, including compensation. 

Notably, a lender may direct a mortgage broker to one specifically authorized AMC if the lender has previously arranged for its appraisal process to be managed by that particular AMC. This process is compliant with AIR because the lender, and not the mortgage broker, is responsible for selecting and/or retaining the appraiser. Additional FNMA AIR FAQs can be found here.

Do both Oregon and Washington tie licensing requirements to an applicant’s residency(not just the location of the subject property)?

Yes, as detailed below:

  • Washington requires an individual to hold a Washington MLO license if the individual offers mortgage brokering or loan origination services (i) to Washington state citizens or (ii) for property in Washington State.

 

° Example:  if an applicant is a “resident” of Washington and looking to purchase a home in Texas, the MLO assisting the applicant with his/her mortgage loan would need to be licensed in both Texas AND Washington.

  • Oregon requires an individual to hold an Oregon mortgage loan originator (“MLO”) license if the individual takes a mortgage loan application or offers or negotiates the terms of a mortgage loan (i) to Oregon residents, (ii) for property located in Oregon State, or (iii) from a fixed physical location in Oregon.

° Example:  if you have a MLO working in Oregon but doing a loan for someone in Florida, that MLO would need to be licensed as an Oregon MLO, in addition to a Florida MLO.

    • Links to the applicable WA and OR regulations and NMLS checklists and description requirements are also included for your reference:



Washington

Oregon

 

What are the best practices for Group Policy Object (GPO) settings for Active Directory accounts?

First of all, if you don’t know what this is and you manage Risk, Compliance, and/or Data Security, please forward to your IT department for their review and to confirm your company meets or exceeds the best practices outlined below. If this isn’t a foreign language, please keep reading. The most commonly used method for user authentication in corporate environments is an Active Directory account with policies and Group Policy Object (GPO) variables set in Group Policy. Whether or not your organization utilizes Active Directory to manage permissions and access to networked resources with GPO defining what a system will look like/how it will behave, the following best practice recommendations are fundamental to security variables in any environment and authenticating application:

  • Account lockout after 5 failed login attempts;
  • A lockout duration of at least 25 minutes when a lockout occurs;
  • A password expiration policy set to every 90 days at a minimum;
  • Complex password requirements: 1 capital letter, 1 lowercase letter, 1 number, 1 special character, at least 8 characters long;
  • Password history requirements: inability to use previous 12 passwords and; 
  • Idle timeout requirements that lock the end-user’s terminal after 10 minutes of inactivity.

Setting the aforementioned variables along with policy implementation and enforcement provides an additional layer of security to accounts and end-user workstations.

 

 

Does Fannie Mae require its Seller/Servicers to perform an independent audit of the Post-Closing QC Process? If so, what’s changed?

Yes, in an August 7, 2019 announcement, FNMA added further guidance to its Lender Post-Closing QC Review requirements. Chapter D1-3-06 of the Selling Guide specifically calls for an independent audit of the Lender’s QC processes and procedures. 

The lender must have an independent audit process to ensure the following:

  • Its post-closing QC process and procedures are followed by the QC staff.
  • Assessments and conclusions are recorded and consistently applied.
  • Findings must be accurately recorded and consistent with the defects noted in the lender’s system of record.

Results of the QC audit must be distributed to senior management. The audit results must include an affirmative statement that no influence from other business units or bias in the QC conclusions was apparent. Management must distribute the results to the appropriate areas within the organization and an action plan must be established for remediation or changes to policies or processes, if appropriate. The lender must provide a copy of the QC audits and the audit of the QC process to Fannie Mae upon request. 

Requirements related to QC independence must be incorporated into the lender’s QC plan and implemented by January 1, 2020.

Has there been a recent change to the implementation date for the redesigned Uniform Residential Loan Application?

Yes, in a recent joint announcement made by Fannie Mae and Freddie Mac, the mandatory use of the redesigned Uniform Residential Loan Application (URLA) has been postponed to an unspecified date in the future. At the direction of the Federal Housing Finance Agency (FHFA), Fannie Mae and Freddie Mac (the GSEs) announced in June 2019 that the optional use period for the redesigned URLA and automated underwriting system (AUS) implementations would be delayed. FHFA has now directed the GSEs to make specific modifications to the URLA which include:

•  The removal of the following questions from the redesigned URLA form. Instead, a voluntary consumer information form, separate from the URLA form, will be developed to collect this information.

•   The Language Preference question (Borrower Information, Section 1a.)

•   The Homeownership Education and Housing Counseling question
(Lender Loan Information, Section L5.)

•  In the Borrower Information, Section 6: Acknowledgments and Agreements, the statement on “Use and Sharing of Information” will be revised to address specific uses of borrower data.

•  The Military Service question (Borrower Information, Section 1a.) will be moved to a new section adjacent to Section 7: Demographic Information.

•  Minor edits for consistency and usability will be made throughout the URLA form.

To allow industry participants time to make the necessary changes, FHFA and the GSEs will be extending the deadlines for implementation of the URLA and AUS datasets. The mandatory use of the redesigned form and data will no longer begin on February 1, 2020. The agencies will assess the impact of these changes to the timeline and will provide more information about the new implementation dates as soon as it is available.

Has Fannie Mae recently updated its Title Insurer Requirements?

Yes. In a June 5, 2019 announcement, Fannie Mae updated section B7-2-02 of the Selling Guide to reflect the following: 

A title insurer must be:

    • Duly authorized and licensed, as required, to issue title insurance in the state where the property is located; and

    • Further evaluated in accordance with the lender’s procedures for title insurer approval, which may include factors such as:
•  an acceptable rating from a rating agency,
•  financial strength of the title insurer,
•  adequate reserves,
•  record related to satisfactory title claim resolution, or
•  strength of a reinsurance arrangement subject to the guidelines below.

 

Additionally, for Insurers Covered by Reinsurance:

    • If the lender accepts an insurer based on the strength of a reinsurer, both the primary insurer and the reinsuring company must be licensed, as required, to issue title insurance within the state where the property is located and are in good standing with that state’s insurance regulator.

 

  • Both insurance carriers must execute an Assumption of Liability Endorsement (Form 858) or an equivalent endorsement that provides for 100% reinsurance of the primary insurer’s policy and a 90-day written notice of termination of the reinsurance agreement. The alternative endorsement must be attached to the title insurance policy for each individual mortgage.

Lenders can take advantage of this policy change immediately; but must implement the change for title insurer acceptability for loan applications dated on or after September 1, 2019.

 

 

Does Georgia have specific requirements with regard to a mortgage loan originator (“MLO”) acting under Temporary Authority (“TA”)?

Yes, effective January 9, 2020 the Georgia Department of Banking and Finance (the “Department”) requires the following with regard to Temporary Authority: 

    • All advertisements mentioning a MLO’s ability to act as an MLO in GA must “clearly and conspicuously” disclose that the MLO is operating under Temporary Authority in the state, is not currently licensed in GA, and has a pending application with the Department, which may be granted or denied.
    • A MLO purporting to operate under the TA must indicate “TAO,” “temporary authority to operate,” or a substantially similar designation next to the signature line on any document, application, or disclosure signed by the MLO in connection with any residential mortgage loan application, including but not limited to the negotiation of terms or the offering of a loan.
    • Any MLO who qualifies to operate under TA must submit proof to the Department of enrollment in a class to satisfy GA’s MLO education requirements, as well as registering to take the test as required by O.C.G.A. § 7-1-1004(f). Such proof shall be submitted to the Department within thirty (30) days of receipt of the MLO’s application. 
    • Mortgage companies must maintain in their journal of mortgage loan transactions clear identification regarding when any MLO utilizes TA at any point in the application or loan process, as well as the final status of the MLO’s GA license application.
    • Requires mortgage lenders and brokers sponsoring MLOs operating under TA to provide a written disclosure in at least 10-point bold-faced type to an applicant on the date the applicant signs an application or any disclosure, whichever occurs first. The disclosure must be signed by the applicant and must include the following language:
“The Georgia Department of Banking and Finance requires that we inform you that our company is licensed but the mortgage loan originator responsible for your loan is not currently licensed by the Georgia Department of Banking and Finance. The mortgage loan originator has applied for a mortgage loan originator license with the Georgia Department of Banking and Finance. Federal law (12 U.S.C. § 5117) authorizes certain mortgage loan originators to operate on a temporary basis in the state of Georgia while their application is pending. The Georgia Department of Banking and Finance may grant or deny the license. Further, the Georgia Department of Banking and Finance may take administrative action against the mortgage loan originator that may prevent such individual from acting as a mortgage loan originator before your loan closes. In such case, our company could still act as your broker or lender.” 

This disclosure provision becomes effective April 1, 2020.

Does HUD require its approved Mortgagees to check its employees against the exclusionary lists after they are hired? 

Yes. HUD requires all approved Mortgagees to conduct checks to verify employee eligibility at least semi-annually (as indicated in Chapter V.A.2.b.i.(B) of the HUD Handbook 4000.1).

    • Excluded Parties List:
      • The Mortgagee must verify employee eligibility for all officers, partners, directors, principals, managers, supervisors, loan processors, loan underwriters, loan originators and all other employees and Affiliates participating in HUD programs for or on behalf of the Mortgagee using the 

System for Award Management (SAM) Excluded Parties List



    • Limited Denial of Participation:
      • The Mortgagee must verify employee eligibility for all officers, partners, directors, principals, managers, supervisors, loan processors, loan underwriters, loan originators, and all other employees and Affiliates participating in HUD programs for or on behalf of the Mortgagee, using the 

Limited Denial of Participation (LDP)

    •  list. 



    • National Mortgage Licensing System and Registry:
      • The Mortgagee must verify that all employees and Affiliates participating in HUD programs for or on behalf of the Mortgagee are registered with the 

National Mortgage Licensing System and Registry (NMLS)

    • , unless excluded from NMLS requirements by law or regulation.



  • Required Documentation:
    • Mortgagees must maintain documentation that supports each employee’s eligibility.

 

In addition, HUD requires Affiliate monitoring as indicated in Chapter V.A.2.b.ii of the HUD Handbook 4000.1. HUD defines the term as follows: Affiliates are contractors, agents, vendors, sub-servicers, and sponsored TPOs who participate in FHA programs on behalf of an FHA-approved Mortgagee. 

    • Affiliate monitoring must include a periodic (semi-annual at a minimum) re-verification of the Affiliate’s compliance with all applicable laws related to licensing, qualification, eligibility, or approval to originate or subservice Mortgages.

 

  • Required Documentation: The Mortgagee must document the methodology used to review Affiliates, the results of each review, and any corrective actions taken as a result of review Findings. The procedures used to review and monitor a Mortgagee’s Affiliates must be included in the Mortgagee’s QC Plan.

My company’s loan originators (“LOs”) use social media to market themselves. What are some key controls I should put in place to monitor their activity?

Social media platforms (LinkedIn, Twitter, Facebook, websites, etc.) have become a popular way for LOs to market themselves and their services. These types of commercial communications will be considered advertising by regulators and violations of advertising requirements can be costly. It is, therefore, important that residential mortgage companies employing LOs monitor their activities throughout the internet to ensure compliance with federal and state advertising requirements. Some best practices for implementing a social media oversight program include, but are not limited to:

•  Identifying, at the time of hire, where an LO may have a social media presence and performing a targeted audit for compliance purposes.

•  Training LOs on the “do’s and don’ts” of social media and advertising.

•  Maintaining social media business pages on behalf of LOs and restricting them from using personal social media pages for business purposes (this allows an LO to maintain a commercial internet presence while also helping to ensure company control and oversight).

•  Requiring all content to be approved by the mortgage company’s compliance department prior to posting.

•  Actively and frequently monitoring social media activity, which may include ongoing audits, automated trigger notifications, or implementing software that identifies possible violations for the compliance department to review.

•  Documenting findings and corrective action, such as assigning additional training to LOs that are in violation of the company policy.

•  Performing a social media search at the time of de-boarding a departing LO to ensure the LO updates all social media pages removing any affiliation with the company. If an LO does not update his/her social media presence in a timely manner, a mortgage company should document its attempts to have the LO make the requested changes.

What are Fannie Mae’s internal audit requirements?

As noted in Fannie Mae’s Selling Guide A1-1-01: Application and Approval of Lender, Fannie Mae requires lenders to have “internal audit and management controls to evaluate and monitor the overall quality of its loan production and/or servicing.”

As outlined in Fannie Mae’s Beyond the Guide, “an appropriate internal audit program should at a minimum include the following key elements:

•    An independent reporting structure with direct report to senior management and/or the board of directors. There should be no shared reporting lines within the QC functional areas to be reviewed by the internal audit function.

•    A risk assessment methodology used to identify the operational areas and functions to be audited and the frequency of those audits. The risk assessment is generally completed annually by the internal audit department to identify the scope of the review and apply risk rating to the areas to be reviewed. The risk assessment generally identifies the frequency of reviews based on the risk rating applied to the areas listed.

•    Documented policies and procedures to detail the internal audit review processes, govern reporting to senior management, and address the remediation of findings.

•    A departmental and functional audit schedule for a minimum 12-month period. The schedule should identify the areas subject to review during the current period and align with the risk assessment.”

While not explicit in the Selling Guide in terms of the number and frequency of audits in  a calendar year, Fannie Mae leaves it to its Seller/Servicers to determine those items; however, the number of audits and frequency should be commensurate with the size and complexity of the organization.  A single audit does not meet the minimum requirements as evidenced in recent MORA examination results requiring a Seller/Servicer to submit the two most recent internal audit reports, minimum 12-month audit schedule, and most recent risk assessment.

As a Mortgagee, am I required to notify FHA if my company’s net worth decreases or I experience operating losses?

Yes, in some instances. HUD Handbook 4000.1, sections I.A.7(g) and (h) outline the requirements when the Mortgagee must notify FHA. In general, the Mortgagee has an ongoing requirement to notify FHA of any changes to the information outlined in its application for FHA approval or in FHA’s eligibility requirements.

Section I.A.7(g) Liquid Assets or Net Worth Deficiency: If at any time a Mortgagee’s adjusted net worth or liquidity falls below the required minimum, the Mortgagee must submit a Notice of Material Event to FHA within 30 business days of the deficiency. The Mortgagee must submit a Corrective Action Plan that outlines the steps taken to mitigate the deficiency and includes relevant information, such as contributions and efforts made to obtain additional capital.

Section I.A.7(h) Operating Loss: If a Mortgagee experiences an operating loss of 20 percent or greater of its adjusted net worth, the Mortgagee must submit a Notice of Material Event to FHA within 30 business days of the loss. The 20 percent threshold applies to losses in any quarter during the fiscal year or losses that exceed 20 percent on the financial statements submitted at recertification. Following the initial notification, the Mortgagee must submit financial statements every quarter until it shows an operating profit for two consecutive quarters, or until it submits its financial reports as part of its recertification.

Did the U.S. Department of Housing and Urban Development (“HUD”) recently issue guidance on the use of Third Party Verification Services?

Yes, on February 15, 2019, HUD published Mortgagee Letter 2019-01, which specifically authorized the use of Third Party Verification (“TPV”) services to verify a borrower’s employment, income and asset information. The Mortgagee Letter explained that “TPV provides an alternative means for verifying a Borrower’s employment, income, and assets the requirement for a Mortgagee to collect paystubs, W–2s, and bank statements.” HUD explained this revision is meant to align HUD policy with industry practice. 

The revised HUD Handbook 4000.1 (the “Handbook”), issued March 27, 2019, indicates a Mortgagee may use contract support for administrative, human resources, and clerical functions including TPV. The Handbook further explains that TPV refers to a process through which a Borrower’s employment, income, and asset information is verified directly by the Mortgagee with a Borrower’s employer or financial institution, through the services of a third-party vendor. 

The Mortgagee must still obtain the Borrower’s authorization to verify the information needed to process the mortgage application as more fully set forth in the Handbook.

Is it a conflict of interest for my company’s Quality Control (QC) Manager to also be in charge of Post–Closing? Post–Closing is not a production role but it does fall under Operations and I want to make sure my organization stays compliant with regulators and investors.

If the Quality Control (QC) Manager is not part of the loan production staff or part of the loan administrative process there should be no issue. That said, if the Quality Control (QC) Manager is involved in endorsing, insuring or servicing FHA loans then that individual is not permitted to be involved in the QC process as set forth in the HUD Handbook 4000.1. “The Mortgagee must ensure that employees who perform QC Program functions are, at all times, independent of all Loan Administration processes and do not directly participate in any of the Loan Administration processes represented in the QC Plan. The Mortgagee must ensure QC employees are not within any chain of reporting or management that is directly connected to Loan Administration staff” (pg. 912).

The HUD definition of Loan Administration refers to all aspects of the FHA mortgage lifecycle, including origination, underwriting, closing, endorsement, and servicing of FHA-insured Mortgages that are governed by FHA policies and procedures (pg. 910).

Did the U.S. Department of Housing and Urban Development (“HUD”) recently issue guidance on the use of Third Party Verification Services?

Yes, on February 15, 2019, HUD published Mortgagee Letter 2019-01, which specifically authorized the use of Third Party Verification (“TPV”) services to verify a borrower’s employment, income and asset information.  The Mortgagee Letter explained that “TPV provides an alternative means for verifying a Borrower’s employment, income, and assets the requirement for a Mortgagee to collect paystubs, W-2s, and bank statements.”   HUD explained this revision is meant to align HUD policy with industry practice. The revised HUD Handbook 4000.1(the “Handbook”), issued March 27, 2019, indicates a Mortgagee may use contract support for administrative, human resources, and clerical functions including TPV.  The Handbook further explains that TPV refers to a process through which a Borrower’s employment, income, and asset information is verified directly by the Mortgagee with a Borrower’s employer or financial institution, through the services of a third-party vendor. The Mortgagee must still obtain the Borrower’s authorization to verify the information needed to process the mortgage application as more fully set forth in the Handbook.

Did the U.S. Department of Housing and Urban Development (“HUD”) recently clarify its requirements in relation to documenting the transfer of gift funds?

Yes, as part of the revised HUD Handbook 4000.1 (the “Handbook”), issued March 27, 2019, HUD clarified its requirements for verifying and documenting the transfer of gifts from a donor to a Borrower. Specifically, the Handbook now indicates in relevant part:

Regardless of when gift funds are made available to a Borrower or settlement agent, the mortgagee must be able to make a reasonable determination that the gift funds were not provided by an unacceptable source. Italicized language above indicates revisions made to the Handbook.

What requirements do residential mortgage lenders have in regard to notifying their Board of Directors (the “Board”) and/or Executive Management of suspicious activity report (“SAR”) filings?

A compliant and effective AML Program includes, among other components, active involvement and oversight by a mortgage lender’s Board and/or Executive Management. Active involvement and oversight requires obtaining sufficient information on SAR investigations and filings so that the Board – or a Board’s equivalent, such as an Executive Management Committee – is able to fulfill its fiduciary duties to the company. Several federal agencies have issued guidance regarding notification requirements for Board members. This guidance may be useful for mortgage lenders in determining how and what to communicate to Board and/or Executive Management members with regard to SAR filings. Specifically, the Federal Financial Institutions Examination Council’s (“FFIEC”) Bank Secrecy Act / Anti-Money Laundering Examination Manual includes a Suspicious Activity Reporting – Overview section, which indicates in relevant part: “Banks are required by the SAR regulations of their federal banking agency to notify the board of directors or an appropriate board committee that SARs have been filed. However, the regulations do not mandate a particular notification format and banks should have flexibility in structuring their format. Therefore, banks may, but are not required to, provide actual copies of SARs to the board of directors or a board committee. Alternatively, banks may opt to provide summaries, tables of SARs filed for specific violation types, or other forms of notification. Regardless of the notification format used by the bank, management should provide sufficient information on its SAR filings to the board of directors or an appropriate committee in order to fulfill its fiduciary duties, while being mindful of the confidential nature of the SAR.” Additionally, Section 8.1-46 of the Federal Deposit Insurance Corporation’s (“FDIC”) Risk Management Manual Examination Policies explains in relevant part: “Section 353.3 of the FDIC’s Rules and Regulations requires the financial institution’s board of directors, or designated committee, be promptly notified of any SAR filed…

  • Customer’s name and any additional suspects;
  • Social Security Number or TIN;
  • Account number (if a customer);
  • The date range of suspicious activity;
  • The dollar amount of suspicious activity;
  • Very brief synopsis of reported activity (for example, “cash deposit structuring” or “wire transfer activity inconsistent with business/occupation”); and
  • Indication of whether it is a first-time filing or repeat filing on the customer/suspects.

Such a tracking report promotes efficiency in review of multiple SAR filings. Nevertheless, there are still some SARs that the board of directors, or designated committee thereof, should review individually…. Financial institutions are encouraged to develop their own parameters for defining ‘significant SARs’ necessitating full reviews; such guidance needs to be written and formalized within board approved BSA policies and procedures.”

When does transitional licensing go into effect and how will it work?

Pursuant to Section 2155 of the federal Economic Growth, Regulatory Relief, and Consumer Protection Act, MLO transitional licensing authority goes into effect on November 24, 2019. Under the law, the following individuals may be granted temporary authority to act as a mortgage loan originator (“MLO”) while completing state-specific requirements for licensure, such as education or testing:

  • qualified MLOs who are changing employment from a depository institution to a state-licensed mortgage company; and
  • qualified state-licensed MLOs seeking licensure in another state.

NMLS published FAQs entitled, “Temporary Authority to Operate (Temporary Authority) for Mortgage Loan Originators“. Importantly, the FAQs explain that a MLO will not have to submit a separate application for temporary authority. Rather, an MLO applies for a MLO license through NMLS and, if eligible, will automatically receive temporary authority as the applicable state processes the license application. NMLS will be programmed to check certain eligibility requirements, such as criminal history and whether an applicant has had an MLO license application denied, revoked, or suspended. Before a licensing decision is made by the applicable state, an individual with temporary authority will show as being “authorized to conduct business” in the state – the actual license status will not be updated until the state makes a decision with regard to the license application. An individual with temporary authority may originate loans as if he/she possesses a license in that state. The individual and the loans originated by that individual will be subject to the same rules and regulations as applicable to a licensed MLO. IMPORTANTcomponent though, mortgage lenders must monitor the status of an individual’s license application and temporary authority to act as a MLO. If the MLO’s application is ultimately denied, the mortgage lender must reassign any active loans in the pipeline originated by that MLO to a licensed MLO in that state. Further, if a mortgage lender knew of or should have known of a disqualifying event that would cause a license application to be denied, the mortgage lender could face enforcement action by the state for failing to disclose such event. For this reason, it is important to perform background checks and other due diligence on MLOs prior to sponsoring license applications. Refer to AGMB’s prior Compliance Question of the Week: “Is it true there is a new law that permits transitional licensing authority for mortgage loan originators (MLO)?” for detail regarding eligibility requirements and additional information on temporary authority.

Should I maintain a visitor log at my front entrance?

Yes, visitors pose a risk to privacy and security. All companies, especially those in the financial industry who handle consumer non-public and confidential information (NPPI/PII), should maintain a visitor log at each office entrance in order to audit visitors and ensure only authorized individuals are permitted to access the facilities. At a minimum, a visitor log should include the date, time in, visitor’s name, person being visited, reason for the visit, and time out. The employee permitting the visitor should verify the visitor’s identity by reviewing the visitor’s government-issued photo ID to ensure they are who they say they are. A visitor log will also serve as a vital reference tool in the event of unforeseen events (i.e. theft, active shooter situations, or incident breaches) and in an emergency evacuation as it will help accurately account for individuals present within the facility. Mortgage lenders should review branch office visitor logs as part of their branch office oversight procedures to ensure they are being maintained appropriately.

If my third-party provider (“vendor”) has access to consumer personally identifiable information, should provisions addressing the protection of such information be included in the Contractual Agreement with the vendor?

Yes, written agreements with third-party providers should address potential risks associated with data breaches — particularly when the vendor has access to consumer personally identifiable information. The vendor contract is a vital element of the vendor due diligence process and relationship. The contract should capture the nature of the relationship and set forth the contractual rights, obligations and duties of each party. This includes confidentiality requirements, responsibilities in the event of a breach, and liability provisions. Since written contracts are a critical component of a sound vendor management program, regulators may review them with a degree of scrutiny. Failure to maintain sufficient protections within vendor contracts and address risks appropriately may result in unsatisfactory results during a regulatory review or examination. Additionally, insufficient contract protections could expose a company to added civil liability in the event of a breach.

Why is it important to have an adequate compliance training program?

It is important for a residential mortgage lender to develop and implement a written compliance training program to provide employees with the tools needed to succeed given the various rules and regulations that apply and because of the constant regulatory changes. Regardless of a residential mortgage lender’s size, a well-developed compliance training program is a critical component to an effective compliance management system (“CMS”). As part of a thorough CMS, a robust training program helps a company and its employees keep up-to-date on regulatory changes that may impact the business, make correct decisions, manage risks, and avoid costly errors or other legal and/or compliance missteps. A residential mortgage lender’s compliance training program should be current, effective, and commensurate with the entity’s size and risk profile. Oftentimes, this requires training courses to be specifically tailored to reflect how a company operates. It is important that all employees be familiar and in full compliance with a company’s policies and procedures, as well as federal and state consumer protection laws. Employees should also receive comprehensive training based upon their job functions and responsibilities. Per the Consumer Financial Protection Bureau’s Summer 2013 Supervisory Highlights edition http://files.consumerfinance.gov/f/201308_cfpb_supervisory-highlights_august.pdf, mortgage lenders must provide ongoing training to Board members management and staff. Further, certain federal and state rules and regulations require training on specific subject matters at least annually. For example, mortgage lenders must provide anti-money laundering and privacy/security awareness training at least annually. It is recommended that all training (whether informal or formal) be tracked and memorialized so that a mortgage lender can demonstrate to its regulators that employees are properly completing courses. Further, requiring a test component helps ensure employees are sufficiently grasping the material presented. It is important to note that no two compliance training programs will be identical. Your company’s size, organizational structure, and geographical reach may dictate the structure of your program.

I’m applying for Fannie Mae approval but am unsure of the difference between a Quality Control Audit (QC) and Internal Audit. What exactly is the difference?

A mortgage lender is required, for a variety of reasons, to implement a QC program that identifies credit and/or regulatory issues in its origination and servicing functions, as applicable. A QC audit looks at the end product, regardless of whether the process is credit or compliance focused. Generally, QC audits, which are forms of transactional testing, are narrower in scope than Internal Audits. Internal Audits review for and identify a variety of items such as credit, regulatory, operational, financial, and reputational risks. An Internal Auditor looks at the process itself and independently evaluates the risks and control activities within the process. To this end, an Internal Auditor will perform a number of tasks, such as review policies, procedures, and reports, conduct management interviews with the respective business units to gather information on the process evaluated, document evidence of the process through walkthroughs, and perform transactional testing, as needed. The focus is not necessarily on the end product as is the case with a QC audit, but rather the focus is on the adequacy, soundness, and effectiveness of internal controls within a process to ensure that the mortgage lender attains the end result sought while complying with Agency and investor guidelines, laws and regulations and industry best practices.

When will it be mandatory to use the new Uniform Residential Loan Application (URLA) and what are some of the changes?

Originations commencing July 1, 2019 may use the redesigned URLA and all new loan applications commencing February 1, 2020 must use the new URLA. Given that the new URLA was designed to make it easier for lenders to acquire data required by HMDA, it is expected that lenders will require use of the new URLA before the mandatory implementation date in February 2020. The application has more than doubled in size. The length of the new URLA will vary depending on the number of borrowers, type of loan and type of the transaction (sections are added or deleted based on loan scenarios). The look and feel of the redesigned URLA is similar to the Loan Estimate and Closing Disclosure and contains what is considered more easily understood language and clearer instructions. The GSEs also created a Spanish version of the new URLA form. However, a completed English URLA must be signed by all applicants. A few highlights of the new URLA are as follows:

  • New fields have been added based on new federal regulations. For example, there are correct fields for the new demographic information required by HMDA since January of 2018 thereby retiring the Demographic Information Addendum currently utilized.
  • Obsolete fields have been eliminated. For example, the applicant is no longer required to list the make and model of their automobile.
  • There is defined separation of individual borrower applications.
  • The information a borrower must provide, acknowledge and agree to has been separated from the information the broker/lender collects and verifies in connection with the processing and underwriting of the loan.

The redesigned URLA, as well as some FAQs and hints, can be found on the Fannie Mae website here: https://www.fanniemae.com/singlefamily/uniform-residential-loan-application The new URLA is a complete reinvention of the origination of a loan. Brokers and lenders will need to start collecting much more information, which was not previously collected. It is advisable to review the new URLA and start planning how you will collect that data once required.